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(54) Message authentication 

(57) For the authentication of messages communi- 
cated in a distributed system from an originator to a des- 
tination a keyed-hashing technique is used according to 
which data to be authenticated is concatenated with a 
private (secret) key and then processed to the crypto- 
graphic hash function . The data are transmitted together 
with the digest of the hash function from the originator 



to the destination. The data comprises temporal validity 
information representing the temporal validity of the da- 
ta. For example the setup key of a communication is 
therefore only valid within a given time interval that is 
dynamically defined by the communication originator. 
After the time interval is exceeded the setup key is 
invalid and cannot be reused again. 
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Description 

[0001] The present invention relates to a method for 
the authentication of data communicated from an origi- 
nator to a destination, to a method for the authenticated 5 
transmission of messages, to a software program prod- 
uct capable of implementing such a method, to a distrib- 
uted system for communicating authenticated data from 
an originator to a destination as well as to a distributed 
system for the authenticated transmission of messages. 10 
[0002] Generally the present invention relates to the 
field of secure communication setup systems and meth- 
ods which allow the secure communication setup be- 
tween two communication parties, an originator and a 
destination. In an authenticated (but not secret) two par- 15 
ty communication setup the communication partners 
and the messages exchange must be authenticated 
meaning that the communicating parties can verify that 
Ihe received messages have not been altered as well 
as that the sender and receiver are authentic. 20 
[0003] Generally there are the following four impor- 
tant aspects of secure communication setup between 
two communicating parties: 

Assurance that the originating communication part- 25 
ner is authorised to establish the connection 
(source is authentic), 

assurance that the receiving communication part- 
ner is authorised (destination is authentic), 
assurance that the received message was sent by 30 
the originating communication partner, and 
assurance that the sent and received message has 
not been altered. 

[0004] From the state of the art it is known to use 35 
keyed-hashing message authentication techniques. 
General background information on message authenti- 
cation codes (MAC) and cryptographic (one-way) hash- 
ing can be found for example in Schneyer, Bruce "Ap- 
plied Cryptography", Edison-Wessley 1996. 40 
[0005] Keyed-hashing for message authentication 
(HM AC) is a mechanism for message authentication us- 
ing cryptographic hash functions. HMAC can be used 
with any iterative cryptographic hash function, e.g. MD5, 
SH-1 in combination with a secret (private) shared key. 45 
The cryptographic strength of HMAC depends on the 
properties of the underlying hash function. HMAC uses 
a secret key for calculation and verification of the mes- 
sage authentication values. 

[0006] Further information on HMAC can be found for so 
example in Bellare et al "Keying hash functions for mes- 
sage authentication", Proceedings of Crpyto-96, LNCS 
1109, pages 1 to 15. 

[0007] The very first and initial communication step in 
communication setup (e.g. the login procedure) is sus- 55 
ceptible to copy or replay attacks which send a copy of 
communication setup (e.g. a user name and password 
recorded from a login procedure) to the communication 



960 A1 2 

partner. This problem is usually solved with additional 
knowledge about the communication partner at the oth- 
er side and/or using large random session keys or trans- 
action keys (usually taken from a transaction hearing). 
[0008] It is the object of the present invention to pro- 
vide for a technique reducing the risk of copy or replay 
attacks particularly in the first step of a communication 
setup in a more efficient way. 

[0009] This object is achieved by means of the fea- 
tures of the independent claims. The dependent claims 
develop further the central idea of the invention. 
[0010] According to the present invention therefore a 
method for the authentication of data communicated 
from an originator to a destination is provided. A keyed- 
hashing technique is used according to which data to 
be authenticated is concatenated with a private key and 
then processed with a cryptographic hash function. The 
data are then transmitted together with the digest of the 
hash function from the originator to the destination. The 
data comprise temporal validity information represent- 
ing the limited temporal validity of the data. 
[0011] The temporal validity information can be de- 
fined by the originator. 

[0012] The data can comprise random data which are 
unique for a time span defined by the temporal validity 
information. 

[0013] The data can be a login key for a communica- 
tion setup and/or a message. 

[0014] According to another aspect of the present in- 
vention a method for the authenticated transmission of 
messages is provided. A login key is at first generated 
by a keyed-hashing method on the basis of random da- 
ta, temporal validity information and a private key. The 
login key is transmitted from an originator to a destina- 
tion. The authenticity and the temporal validity of the 
login key is verified on the basis of the keyed-hashing 
digest on the destination side. 

[0015] In case the verification of the authenticity and 
the temporal validity of the login key is positive, further 
acknowledgement steps can be effected. An acknowl- 
edgement key can be generated by a keyed-hashing 
method on the basis of second random data and the pri- 
vate key. The acknowledgement key is transmitted from 
the destination to the originator. The acknowledgement 
key is then verified by the originator. 
[0016] The acknowledgement key can furthermore 
comprise a time stamp and when verifying the acknowl- 
edgement key it can be checked on the basis of the time 
stamp and the temporal validity information whether the 
acknowledgement key is still valid. 
[0017] The method can furthermore comprise mes- 
sage transmission steps in case the verification of the 
acknowledgement key is positive. The second random 
data of the acknowledgement key are extracted. A mes- 
sage is generated by a key hashing method on the basis 
of the second random data, message data and the pri- 
vate key. The message is then transmitted from the orig- 
inator to the destination and the message is verified by 
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the destination. 

[001 8] The message can furthermore comprise a time 
stamp and when verifying the message it is checked on 
the basis of the time stamp and the temporal validity in- 
formation whether the message is still valid. 
[001 9] According to a still other aspect of the present 
invention a software program product is provided imple- 
menting, when loaded into a computing device of a dis- 
tributed system, a method according to anyone of the 
preceding claims. 

[0020] According to a still other aspect of the present 
invention a distributed system for communicating au- 
thenticated data from an originator to a destination is 
provided. The system is designed for a keyed-hashing 
technique according to which data to be authenticated 
is concatenated with a private key and then processed 
with a cryptographic (one-way) hash function. The data 
are then transmitted together with the digest of the hash 
function from the originator to the. destination. The data 
thereby comprised temporal validity information repre- 
senting the temporal validity of the data. 
[0021] The originator can be designed to define the 
temporal (limited) validity information. 
[0022] The data can comprise random data which are 
unique for a time span defined by the temporal validity 
information. 

[0023] The data can be a login key for a communica- 
tion setup and/or a message. 

[0024] According to a still other aspect of the present 
invention a distributed system for the authenticated 
transmission of messages is provided. The distributed 
system comprises an originator designed to generate a 
login key by a keyed-hashing method on the basis of 
random data, temporal validity information and a private 
key. Furthermore, a network for transmitting the login 
key from the originator to a destination is provided. The 
destination is designed to verify the authenticity and the 
temporal validity of the login key on the basis of the 
keyed-hashing digest. 

[0025] The destination can be designed to generate 
an acknowledgement key by a keyed-hashing method 
on the basis of second random data and the private and 
to transmit the acknowledgement key to the originator 
in case the verification of the authenticity and the tem- 
poral validity of the login key is positive. The originator 
is designed to verify the acknowledgement key. 
[0026] The acknowledgement key can furthermore 
comprise a time stamp and when verifying the acknowl- 
edgement key the originator checks on the basis of the 
time stamp and the temporal validity information wheth- 
er the acknowledgement key is still valid. 
[0027] The originator can be designed to extract the 
second random data from the acknowledgement key in 
case the verification of the acknowledgement key is pos- 
itive, to generate the message by a keyed-hashing 
method on the basis of the second random data, mes- 
sage data and the private key and to transmit the mes- 
sage to the destination. The destination is designed to 
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verify the message. 

[0028] The message can furthermore comprise time 
stamp and when verifying the message, the destination 
checks on the basis of the time stamp and the temporal 
validity information whether the message is (still) valid. 
[0029] Further features, advantages and objects of 
the present invention will become evident for the man 
skilled in the art when reading the following description 
of an embodiment taken in conjunction with the figures 
of the enclosed drawings. 

Figure 1 shows hand shake and information flow 
between two communication partners with a time 
synchronised communication setup by keyed-hash- 
ing message authentication (TSCS), 

Figure 2 shows the TSCS login key and acknowl- 
edgement key, and 

Figure 3 shows the internal structure of a TSCS 
login key. 

[0030] According to the time synchronised communi- 
cation setup by keyed-hashing message authentication 
(TSCS) almost all setup keys are unique by using a se- 
cure random number generator. The setup key is only 
valid within a given time interval that is dynamically de- 
fined by the communication originator. The information 
sender and receiver authenticate each other. Only if 
both partners are authenticated, the information will be 
accepted by the communication partner. After the time 
interval is exceeded the setup key is invalid and cannot 
be reused again. Within the time interval the setup key 
can be reused. This feature is realised without storing 
of login keys. 

[0031] The communication partners share only a sin- 
gle private (secret) key (of arbitrary length) which can 
be exchanged periodically using known secure proto- 
cols (e.g. a public key encryption method). The TSCS 
communication setup protocol is inherently robust 
against copy or replay attacks. As mentioned above, 
TSCS relies on the keyed-hashing for message authen- 
tication code (HMAC). It is known from the prior art that 
HMAC is hard to break even if the underlying secure 
hash function (e.g. SHA-1 or MD-5) has some weakness 
such as predictable collisions. 

[0032] Figure 1 shows handshake and information 
flow between two communicating partners with the Time 
Synchronized Communication Setup by Keyed-Hash- 
ing Message Authentication (TSCS). 
[0033] In phase 1 the information originator generates 
a TSCS login key and sends the login key to the receiver. 
As shown below a TSCS login key consists of a (secure) 
random bit array, a unified system time, a temporal va- 
lidity field and its authentication key. If the random bit 
array is large the chance of generation of generating two 
identical random arrays is very small. The receiver re- 
ceives the login key and checks its authentication key. 
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thentication Code (HMAC) using private key K 
f) append the HMAC (or a subset of) to the login 
key 

5 g) transmit the login key to the receiver, 

PHASE 2: 

Receiver acknowledgement 

10 

[0041 J 

a) [OPTION 1] search the key table for a key that 
is identical to the current login key random bit field 
15 b) [OPTION 1] if a duplicated key was found 

in the key table, terminate connection and exit. 

c) [O PTION 1 ] store the random bit array of the login 
key in the key table until key expires 

20 

d) verification of the login key authenticity and va- 
lidity 

e) check the login key signature (the digest) 

25 

f) calculate own HMAC using private key K 

g) compare own HMAC with login key di- 
gest 

30 h) check the login key temporal validity 

i) calculate the difference between login 
key universal time and current time (of the 
receiver). 

35 j) check if time difference (the absolute val- 

ue) is less then the temporal validity of the 
login key 

k) generate the acknowledgement key 

40 

I) generate secure random bit array (the ses- 
sion key) 

m) store session key 
n) append the unified time (UT) field 
45 o) generate the Keyed-Hashing Message Au- 

thentication Code (HMAC) using private key K 
p) append the HMAC (or a subset of) to the ac- 
knowledgement key 



Because of the originator and the receiver share the 
same private key, the login keys digest differs if the login 
key has been altered (in this case further communica- 
tion is denied). If the key is valid, the receiver checks its 
temporal validity as described in the validity field. 
[0034] In phase 2 the receiver generates a TSCS ac- 
knowledgement key and sends it to the receiver. The 
acknowledgement key consists of a new random bit ar- 
ray (independent from the originator) and the unified 
system time of the receiver. 

[0035] In phase 3 the originator checks the acknowl- 
edgement key (i.e. the digest and temporal validity), 
takes the random bit field of the acknowledgement key 
and merges it with the message data which is intended 
to be sent. The data (consisting of the message and the 
random field) is signed and sent to the receiver. 
[0036] Then the receiver checks in phase 4 the mes- 
sage digest and the identity of random bit field (from the 
message) and the previously generated random bit ar- 
ray of the acknowledgement key. If the message digest 
is valid and the bit arrays are identical, the message has 
mot been altered AND was generated as a result of the 
previous exchange of login and acknowledgement keys. 
The receiver sends then an acknowledgement to the 
communication originator. 

[0037] Figure 2 shows the TSCS login and acknowl- 
edgement key. The login key is created and signed by 
the communication originator. The acknowledgement 
key is returned and signed by the receiver. The trans- 
mitted signature is not necessarily the complete keyed- 
hashing message authentication code (HMAC) with its 
full digest length. For the login and acknowledgement 
keys it may be meaningful for security and key length to 
compress the digest to limit its length. 
[0038] Figure 3 shows the internal structure of a 
TSCS login key. The HMAC key digest may be com- 
pressed to reduce key length and to prevent the private 
key K from key break attacks if the signed message is 
short (here 265 bit). A compression to BO bit digest 
length (by a state machine) is appreciated for short mes- 
sage lengths. 

[0039] The handshake between the two communicat- 
ing parties consists of four phases. In the following the 
procedure according to the present invention will be ex- 
plained in detail. 

PHASE 1: 

Communication originator login 
[0040] 

a) Generate a TSCS login key 



q) transmit acknowledgement key to communica- 
tion originator 



b) generate of a secure random bit array 55 

c) append the unified time (UT) field 

d) append the temporal validity field 

e) generate the Keyed-Hashing Message Au- 
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PHASE 3: 

Message transmission 
[0042] 

a) verification of the acknowledgement key authen- 
ticity and validity 

b) check the acknowledgement key signature 
. (the digest) 

c) calculate own HM AC using private key K 

d) compare own HMAC with acknowledge- 
ment key digest 

e) check the acknowledgement key temporal 
validity 

f) calculate the difference between ac- 
knowledgement key universal time and 
current time (of the originator). 

g) check if time difference (absolute value) 
is less then the temporal validity of the ac- 
knowledgement key 

h) extract the random bit field from acknowledge- 
ment key 

i) append or merge the random field (the session 
key) with the message data 

j) [OPTION 2] append universal time (of the origi- 
nator) to the message 

k) sign the message data and session key (and op- 
tionally universal time), i.e. calculate HMAC of mes- 
sage data and session key using private key K 
I) append HMAC (or a subset of) to the message 
data and session key 

m) transmit the message, i.e. transmit the message 
data, session key and HMAC to the receiver 

PHASE 4: 

Message verification 
[0043] 

a) verification of the message authenticity (and op- 
tionally validity) 

b) compare the session key of the message 
with the previously stored session key 

c) check the message signature (the digest) 

d) calculate own HMAC using private key K 

e) compare own HMAC with message di- 
gest 

f) [OPTION 2] check the message tempo- 
ral validity 



g) [OPTION 2] calculate the difference 
between message universal time and 
current time (of the receiver) (optional- 
ly) 

5 h) [OPTION 2] check if time difference 

(absolute value) is less then the tem- 
poral validity of the acknowledgement 
key (optionally) 

w i) return an acknowledgement to the communication 
originator 

[0044] OPTION 1 is designed to eliminate so-called 
reply attacks (multiple use of the TSCS login key) even 

15 if the time span according to the appended temporal va- 
lidity field is not yet expired. Note that said time span 
can be user defined between some nanoseconds and 
some minutes. Particularly in an Internet environment 
the time span will be chosen to be very long, wherein in 

20 direct connected networks it will be chosen to be quite 
short. 

[0045] OPTION 2 gives the possibility to define a fur- 
ther time span for the temporal validity of the message 
itself. 

25 [0046] As explained the invention relates to authenti- 
cated transmission of messages in distributed messag- 
ing and (multimedia) telecommunication systems. Time 
synchronized message and communication authentica- 
tion can be also applied to a common message based 

30 communication between two communication partners. 
With minimal extension the TSCS can be also applied 
to 1 -to-N communication like broadcast. The present in- 
vention relates to message oriented communication. 
Logically, message oriented communication means 

35 here that in an initial step the communication is estab- 
lished, then the message is send and in a third step an 
(optional) acknowledgement is returned by the receiving 
party. Message oriented communication is not effective 
for applications that require continuous (uni- or bi-direc- 

40 tional) data transmission such as in real-time voice or 
video transmissions. 

[0047] A technique for realizing secure authentication 
of communication setup and message transmission be- 
tween two communicating parties is described. Time 
45 Synchronized Communication Setup by Keyed-Hash- 
ing Message Authentication (TSCS) provides the ability 
of 

• Authentication of communicating partners. 
so • Authentication of transmitted information. 

• Communicating partners share only a single private 
key that can be periodically changed (between the 
partners) by using state-of-the-art public key en- 
cryption for key transmission. 

55 • Limited temporal validity (from nanoseconds to 
days) of session keys that enhances communica- 
tion security and limits the chance and the effects 
of copy or replay attacks, 
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• Unsolicited message data sent from replay attacks 
will be (almost) detected, 

• When secure random keys are stored during their 
time of validity (from nanoseconds to days), replay 
attacks during the initial communication setup 
phase (which does not harm message integrity) are 
(almost) impossible, 

• Formerly exchanged session keys can (almost) 
never be reused again after a defined time interval 
(defined by the communication originator). This key 
property is realized without the storage of session 
keys. 

• Limitation (inherent in the apparatus) of the tempo- 
ral validity of transmitted information. 



Claims 

1. Method for Ihe authentication of data communicat- 
ed from a originator to a destination, 

wherein a keyed hashing technique is used, accord- 
ing to which data to be authenticated is concatenat- 
ed with a private key and then processed with a 
cryptographic hash function, and the data are trans- 
mitted together with the digest of the hash function 
from the originator to the destination, 
characterized in that 

the data comprises temporal validity information 
representing the temporal validity of the data. 

2. Method according to claim 1 , 
characterized in that 

the temporal validity information can be defined by 
the originator. 

3. Method according to anyone of the preceding 
claims, 

characterized in that 

the data comprises random data which are unique 
for a time span defined by the temporal validity in- 
formation. 

4. Method according to anyone of the preceding 
claims, 

characterized in that 

the data is a login key for a communication setup 
and/or a message. 

5. Method for the authenticated transmission of mes- 
sages, 

comprising the following communication setup 
steps: 

generating a login key by a keyed-hashing 
method on the basis of random data, temporal 
validity information and a private key, 
transmitting the login key from an originator to 
a destination, and 



verifying the authenticity and the temporal va- 
lidity of the login key on the basis of the keyed 
hashing digest on the destination side. 

5 6. Method according to claim 5, 

furthermore comprising the following acknowledg- 
ment steps: 

in case the verification of the authenticity and the 
temporal validity of the login key is positive, 

10 

generating an acknowledgment key by a 
keyed-hashing method on the basis of second 
random data and the private key, 
transmitting the acknowledgment key from the 
15 destination to the originator, and 

verifying the acknowledgment key by the origi- 
nator. 

7. Method according to claim 6, 
20 characterized in that 

the acknowledgment key furthermore comprises a 
time stamp and when verifying the acknowledgment 
key it is checked on the basis of the time stamp and 
the temporal validity information whether the ac- 
25 knowledgment key is still valid.. 

8. Method according to claim 6 or 7, 
furthermore comprising the following message 
transmission steps: 

30 in case the verification of the acknowledgment key 
is positive, 

extracting the second random data from the ac- 
knowledgment key, 

35 - generating a message by a keyed-hashing 
method on the basis of the second random da- 
ta, message data and the private key, 
transmitting the message from the originator to 
the destination, and, 

40 - verifying the message by the destination. 

9. Method according to claim 8, 
characterized in that 

the message furthermore comprises a time stamp 
45 and when verifying the message it is checked on 
the basis of the time stamp and the temporal validity 
information whether the message is still valid. 

10. Software program product, 
so characterized in that 

it implements, when loaded into a computing device 
of a distributed system, a method according to an- 
yone of the preceding claims. 

55 11 . Distributed system for communicating authenticat- 
ed data from a originator to a destination, 
designed for a keyed hashing technique according 
to which data to be authenticated is concatenated 
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with a private key and then processed with a cryp- 
tographic hash function, and the data are transmit- 
ted together with the digest ot the hash function 
from the originator to the destination, 
characterized in that 

the data comprises temporal validity information 
representing the temporal validity of the data. 

12. Distributed system according to claim 11, 
characterized in that 

the originator is designed to define the temporal va- 
lidity information. 

13. Distributed system according to claim 11 or 12 : 
characterized in that 

tne data comprises random data which are unique 
for a lime span defined by the temporal validity in- 
formation 



14. Distributed system according to anyone of claims 
11 to 13 

characicn/cd in that 

the data is a login key for a communication setup 
and/or a message 

15. Distributes system for the authenticated transmis- 
sion of messages comprising: 

an originator designed to generate a login key 
by a keyed-hashing method on the basis of ran- 
dom data temporal validity information and a 
private key 

a network for transmitting the login key from the 
originator to a destination, 

wherein the Destination is designed to verify the au- 
thenticity anc the temporal validity of the login key 
on the basis of tne keyed hashing digest. 

16. Distributed system according to claim 15 , 
wherein the destination is designed to generate an 
acknowledgment key by a keyed-hashing method 
on the basis of second random data and the private 
key and to transmit the acknowledgment key to the 
originator in case the verification of the authenticity 
and the temporal validity of the login key is positive, 
and 

the originator is designed to verify the acknowledg- 
ment key. 

17. Distributes system according to claim 16, 
characterized in that 

the acknowledgment key furthermore comprises a 
time stamp and when verifying the acknowledgment 
key the originator checks on the basis of the time 
stamp and the temporal validity information whether 
the acknowledgment key is still valid.. 
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18. Distributed system according to claim 16 or 17, 
characterized in that 

the originator is designed to extract the second ran- 
dom data from the acknowledgment key in case the 
verification of the acknowledgment key is positive, 
generate a message by a keyed-hashing method 
on the basis of the second random data, message 
data and the private key, and transmit the message 
to the destination, and the destination is designed 
to verify the message. 

19. Distributed system according to claim 18, 
characterized in that 

the message furthermore comprises a time stamp 
and when verifying the message, the destination 
checks on the basis of the time stamp and the tem- 
poral validity information whether the message is 
still valid. 
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